[strongSwan] ECDSA failures with Strongswan 5.0.2 and openssl 1.0.1e-fips

Scot Hutchinson shutchinson at oceusnetworks.com
Tue Apr 2 17:41:18 CEST 2013



ECDSA failures with Strongswan 5.0.2 and openssl 1.0.1e-fips

Apr  2 14:59:33 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 2 builders
Apr  2 14:59:33 00[CFG]   loading private key from '/etc/strongswan/ipsec.d/private/outerKey.pem' failed

I'm also seeing these messages related to the private key that was generated on the server:
Apr  2 15:18:16 00[ASN] L1 - encryptionAlgorithm:
Apr  2 15:18:16 00[ASN] L2 - algorithmIdentifier: ASN1 tag 0x30 expected, but is 0x02

I'm not sure where the source of failure is, the build, cert/key cretion, or stongswan configuration.

These are the configure parameters used when building Strongswan:
 ./configure --enable-openssl --prefix=/usr --sysconfdir=/etc
 make
 make install


Here are the commands used to generate the keys and cert request:
# ipsec pki --gen --type ecdsa --size 384 > ecdsaKey.pem
# ipsec pki --req --in ecdsaKey.pem --type ecdsa --dn "C=US,ST=Texas,L=City,O=Company,OU=Engineering,CN=10.50.102.44" --digest sha384 –outform pem > ecdsaReq.pem

Here are the modules loaded in strongswan.conf
load = openssl fips-prf charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-netlink socket-default stroke updown

Below is the full strongswan restart logs:

Thanks,
Scot

Apr  2 15:18:13 00[DMN] signal of type SIGINT received. Shutting down
Apr  2 15:18:13 00[MGR] going to destroy IKE_SA manager and all managed IKE_SA's
Apr  2 15:18:13 00[MGR] set driveout flags for all stored IKE_SA's
Apr  2 15:18:13 00[MGR] wait for all threads to leave IKE_SA's
Apr  2 15:18:13 00[MGR] delete all IKE_SA's
Apr  2 15:18:13 00[MGR] destroy all entries
Apr  2 15:18:13 03[JOB] terminated worker thread 03
Apr  2 15:18:13 06[JOB] terminated worker thread 06
Apr  2 15:18:13 01[JOB] terminated worker thread 01
Apr  2 15:18:13 05[JOB] terminated worker thread 05
Apr  2 15:18:13 02[JOB] terminated worker thread 02
Apr  2 15:18:13 04[JOB] terminated worker thread 04
Apr  2 15:18:13 07[JOB] terminated worker thread 07
tail: /var/log/charon.log: file truncated
Apr  2 15:18:16 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-358.el6.x86_64, x86_64)
Apr  2 15:18:16 00[LIB] plugin 'openssl': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'fips-prf': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'aes': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'des': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'sha1': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'sha2': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'md5': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'random': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'nonce': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'x509': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'pubkey': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'pkcs1': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'pkcs8': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'pgp': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'pem': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'gmp': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'xcbc': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'hmac': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'kernel-netlink': loaded successfully
Apr  2 15:18:16 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes
Apr  2 15:18:16 00[KNL] listening on interfaces:
Apr  2 15:18:16 00[KNL]   eth0
Apr  2 15:18:16 00[KNL]     10.50.102.44
Apr  2 15:18:16 00[KNL]     fe80::20c:29ff:fe7b:94b9
Apr  2 15:18:16 00[KNL]   eth1
Apr  2 15:18:16 00[KNL]     fe80::20c:29ff:fe7b:94c3
Apr  2 15:18:16 00[LIB] plugin 'socket-default': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'stroke': loaded successfully
Apr  2 15:18:16 00[LIB] plugin 'updown': loaded successfully
Apr  2 15:18:16 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Apr  2 15:18:16 00[ASN]   file content is not binary ASN.1
Apr  2 15:18:16 00[ASN]   -----BEGIN CERTIFICATE-----
Apr  2 15:18:16 00[ASN]   -----END CERTIFICATE-----
Apr  2 15:18:16 00[LIB] OpenSSL X.509 parsing failed
Apr  2 15:18:16 00[ASN] L0 - x509:
Apr  2 15:18:16 00[ASN] L1 - tbsCertificate:
Apr  2 15:18:16 00[ASN] L2 - DEFAULT v1:
Apr  2 15:18:16 00[ASN]   X.509v1
Apr  2 15:18:16 00[ASN] L2 - serialNumber:
Apr  2 15:18:16 00[ASN] L2 - signature:
Apr  2 15:18:16 00[ASN] L3 - algorithmIdentifier:
Apr  2 15:18:16 00[ASN] L4 - algorithm:
Apr  2 15:18:16 00[ASN]   'ecdsa-with-SHA384'
Apr  2 15:18:16 00[ASN] L2 - issuer:
Apr  2 15:18:16 00[ASN]   'C=US, ST=Texas, L=City, O=Company, OU=Engineering, CN=ca.company.com'
Apr  2 15:18:16 00[ASN] L2 - validity:
Apr  2 15:18:16 00[ASN] L3 - notBefore:
Apr  2 15:18:16 00[ASN] L4 - utcTime:
Apr  2 15:18:16 00[ASN]   'Mar 29 12:21:59 UTC 2013'
Apr  2 15:18:16 00[ASN] L3 - notAfter:
Apr  2 15:18:16 00[ASN] L4 - utcTime:
Apr  2 15:18:16 00[ASN]   'Mar 27 12:21:59 UTC 2023'
Apr  2 15:18:16 00[ASN] L2 - subject:
Apr  2 15:18:16 00[ASN]   'C=US, ST=Texas, L=City, O=Company, OU=Engineering, CN=ca.company.com'
Apr  2 15:18:16 00[ASN] L2 - subjectPublicKeyInfo:
Apr  2 15:18:16 00[ASN] -- > --
Apr  2 15:18:16 00[ASN] L0 - subjectPublicKeyInfo:
Apr  2 15:18:16 00[ASN] L1 - algorithm:
Apr  2 15:18:16 00[ASN] L2 - algorithmIdentifier:
Apr  2 15:18:16 00[ASN] L3 - algorithm:
Apr  2 15:18:16 00[ASN]   'id-ecPublicKey'
Apr  2 15:18:16 00[ASN] L3 - parameters:
Apr  2 15:18:16 00[ASN] -- < --
Apr  2 15:18:16 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
Apr  2 15:18:16 00[CFG]   loading ca certificate from '/etc/strongswan/ipsec.d/cacerts/ca_cert.pem' failed
Apr  2 15:18:16 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Apr  2 15:18:16 00[LIB] opening directory '/etc/strongswan/ipsec.d/aacerts' failed: No such file or directory
Apr  2 15:18:16 00[CFG]   reading directory failed
Apr  2 15:18:16 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Apr  2 15:18:16 00[LIB] opening directory '/etc/strongswan/ipsec.d/ocspcerts' failed: No such file or directory
Apr  2 15:18:16 00[CFG]   reading directory failed
Apr  2 15:18:16 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Apr  2 15:18:16 00[LIB] opening directory '/etc/strongswan/ipsec.d/acerts' failed: No such file or directory
Apr  2 15:18:16 00[CFG]   reading directory failed
Apr  2 15:18:16 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Apr  2 15:18:16 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Apr  2 15:18:16 00[ASN]   file content is not binary ASN.1
Apr  2 15:18:16 00[ASN]   -----BEGIN EC PRIVATE KEY-----
Apr  2 15:18:16 00[ASN]   -----END EC PRIVATE KEY-----
Apr  2 15:18:16 00[ASN] L0 - encryptedPrivateKeyInfo:
Apr  2 15:18:16 00[ASN] L1 - encryptionAlgorithm:
Apr  2 15:18:16 00[ASN] L2 - algorithmIdentifier: ASN1 tag 0x30 expected, but is 0x02
Apr  2 15:18:16 00[ASN] L0 - privateKeyInfo:
Apr  2 15:18:16 00[ASN] L1 - version:
Apr  2 15:18:16 00[ASN] L1 - privateKeyAlgorithm:
Apr  2 15:18:16 00[ASN] L2 - algorithmIdentifier: ASN1 tag 0x30 expected, but is 0x04
Apr  2 15:18:16 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 2 builders
Apr  2 15:18:16 00[CFG]   loading private key from '/etc/strongswan/ipsec.d/private/outerKey.pem' failed
Apr  2 15:18:16 00[LIB] feature PRIVKEY:DSA in 'pem' plugin has unsatisfied dependency: PRIVKEY:DSA
Apr  2 15:18:16 00[LIB] feature PUBKEY:ECDSA in 'pem' plugin has unsatisfied dependency: PUBKEY:ECDSA
Apr  2 15:18:16 00[LIB] feature PUBKEY:DSA in 'pem' plugin has unsatisfied dependency: PUBKEY:DSA
Apr  2 15:18:16 00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in 'pem' plugin has unsatisfied dependency: CERT_DECODE:X509_OCSP_REQUEST
Apr  2 15:18:16 00[DMN] loaded plugins: charon openssl fips-prf aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-netlink socket-default stroke updown
Apr  2 15:18:16 00[JOB] spawning 16 worker threads
Apr  2 15:18:16 01[LIB] created thread 01 [8914]
Apr  2 15:18:16 02[LIB] created thread 02 [8915]
Apr  2 15:18:16 02[JOB] started worker thread 02
Apr  2 15:18:16 01[JOB] started worker thread 01
Apr  2 15:18:16 03[LIB] created thread 03 [8916]
Apr  2 15:18:16 03[JOB] started worker thread 03
Apr  2 15:18:16 05[LIB] created thread 05 [8918]
Apr  2 15:18:16 07[LIB] created thread 07 [8920]
Apr  2 15:18:16 06[LIB] created thread 06 [8919]
Apr  2 15:18:16 08[LIB] created thread 08 [8921]
Apr  2 15:18:16 11[LIB] created thread 11 [8924]
Apr  2 15:18:16 07[JOB] started worker thread 07
Apr  2 15:18:16 06[JOB] started worker thread 06
Apr  2 15:18:16 05[JOB] started worker thread 05
Apr  2 15:18:16 10[LIB] created thread 10 [8923]
Apr  2 15:18:16 10[JOB] started worker thread 10
Apr  2 15:18:16 04[LIB] created thread 04 [8917]
Apr  2 15:18:16 04[JOB] started worker thread 04
Apr  2 15:18:16 09[LIB] created thread 09 [8922]
Apr  2 15:18:16 09[JOB] started worker thread 09
Apr  2 15:18:16 11[JOB] started worker thread 11
Apr  2 15:18:16 15[LIB] created thread 15 [8928]
Apr  2 15:18:16 15[JOB] started worker thread 15
Apr  2 15:18:16 16[LIB] created thread 16 [8929]
Apr  2 15:18:16 16[JOB] started worker thread 16
Apr  2 15:18:16 14[LIB] created thread 14 [8927]
Apr  2 15:18:16 14[JOB] started worker thread 14
Apr  2 15:18:16 02[JOB] no events, waiting
Apr  2 15:18:16 05[NET] waiting for data on sockets
Apr  2 15:18:16 08[JOB] started worker thread 08
Apr  2 15:18:16 13[LIB] created thread 13 [8926]
Apr  2 15:18:16 12[LIB] created thread 12 [8925]
Apr  2 15:18:16 12[JOB] started worker thread 12
Apr  2 15:18:16 13[JOB] started worker thread 13
Apr  2 15:18:16 04[CFG] received stroke: add connection 'device-outer-tunnel'
Apr  2 15:18:16 04[CFG] conn device-outer-tunnel
Apr  2 15:18:16 04[CFG]   left=10.50.102.17
Apr  2 15:18:16 04[CFG]   leftsubnet=10.50.102.16/28
Apr  2 15:18:16 04[CFG]   leftsourceip=(null)
Apr  2 15:18:16 04[CFG]   leftauth=pubkey
Apr  2 15:18:16 04[CFG]   leftauth2=(null)
Apr  2 15:18:16 04[CFG]   leftid=(null)
Apr  2 15:18:16 04[CFG]   leftid2=(null)
Apr  2 15:18:16 04[CFG]   leftrsakey=(null)
Apr  2 15:18:16 04[CFG]   leftcert=ecdsaReq_cert.pem
Apr  2 15:18:16 04[CFG]   leftcert2=(null)
Apr  2 15:18:16 04[CFG]   leftca=(null)
Apr  2 15:18:16 04[CFG]   leftca2=(null)
Apr  2 15:18:16 04[CFG]   leftgroups=(null)
Apr  2 15:18:16 04[CFG]   leftupdown=(null)
Apr  2 15:18:16 04[CFG]   right=%any
Apr  2 15:18:16 04[CFG]   rightsubnet=(null)
Apr  2 15:18:16 04[CFG]   rightsourceip=(null)
Apr  2 15:18:16 04[CFG]   rightauth=pubkey
Apr  2 15:18:16 04[CFG]   rightauth2=(null)
Apr  2 15:18:16 04[CFG]   rightid=C=US, ST=Texas, L=City, O=Company, OU=Engineering, CN=ca.company.com
Apr  2 15:18:16 04[CFG]   rightid2=(null)
Apr  2 15:18:16 04[CFG]   rightrsakey=(null)
Apr  2 15:18:16 04[CFG]   rightcert=(null)
Apr  2 15:18:16 04[CFG]   rightcert2=(null)
Apr  2 15:18:16 04[CFG]   rightca=(null)
Apr  2 15:18:16 04[CFG]   rightca2=(null)
Apr  2 15:18:16 04[CFG]   rightgroups=(null)
Apr  2 15:18:16 04[CFG]   rightupdown=(null)
Apr  2 15:18:16 04[CFG]   eap_identity=(null)
Apr  2 15:18:16 04[CFG]   aaa_identity=(null)
Apr  2 15:18:16 04[CFG]   xauth_identity=(null)
Apr  2 15:18:16 04[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
Apr  2 15:18:16 04[CFG]   esp=aes128-sha1-modp2048,3des-sha1-modp1536
Apr  2 15:18:16 04[CFG]   dpddelay=30
Apr  2 15:18:16 04[CFG]   dpdtimeout=150
Apr  2 15:18:16 04[CFG]   dpdaction=0
Apr  2 15:18:16 04[CFG]   closeaction=0
Apr  2 15:18:16 04[CFG]   mediation=no
Apr  2 15:18:16 04[CFG]   mediated_by=(null)
Apr  2 15:18:16 04[CFG]   me_peerid=(null)
Apr  2 15:18:16 04[CFG]   keyexchange=ikev2
Apr  2 15:18:16 04[KNL] getting interface name for %any
Apr  2 15:18:16 04[KNL] %any is not a local address
Apr  2 15:18:16 04[KNL] getting interface name for 10.50.102.17
Apr  2 15:18:16 04[KNL] 10.50.102.17 is not a local address
Apr  2 15:18:16 04[CFG] left nor right host is our side, assuming left=local
Apr  2 15:18:16 04[ASN]   file content is not binary ASN.1
Apr  2 15:18:16 04[ASN]   -----BEGIN CERTIFICATE-----
Apr  2 15:18:16 04[ASN]   -----END CERTIFICATE-----
Apr  2 15:18:16 04[LIB] OpenSSL X.509 parsing failed
Apr  2 15:18:16 04[ASN] L0 - x509:
Apr  2 15:18:16 04[ASN] L1 - tbsCertificate:
Apr  2 15:18:16 04[ASN] L2 - DEFAULT v1:
Apr  2 15:18:16 04[ASN]   X.509v1
Apr  2 15:18:16 04[ASN] L2 - serialNumber:
Apr  2 15:18:16 04[ASN] L2 - signature:
Apr  2 15:18:16 04[ASN] L3 - algorithmIdentifier:
Apr  2 15:18:16 04[ASN] L4 - algorithm:
Apr  2 15:18:16 04[ASN]   'ecdsa-with-SHA384'
Apr  2 15:18:16 04[ASN] L2 - issuer:
Apr  2 15:18:16 04[ASN]   'C=US, ST=Texas, L=City, O=Company, OU=Engineering, CN=ca.company.com'
Apr  2 15:18:16 04[ASN] L2 - validity:
Apr  2 15:18:16 04[ASN] L3 - notBefore:
Apr  2 15:18:16 04[ASN] L4 - utcTime:
Apr  2 15:18:16 04[ASN]   'Apr 02 14:30:33 UTC 2013'
Apr  2 15:18:16 04[ASN] L3 - notAfter:
Apr  2 15:18:16 04[ASN] L4 - utcTime:
Apr  2 15:18:16 04[ASN]   'Apr 02 14:30:33 UTC 2014'
Apr  2 15:18:16 04[ASN] L2 - subject:
Apr  2 15:18:16 04[ASN]   'C=US, ST=Texas, L=City, O=Company, OU=Engineering, CN=10.50.102.44'
Apr  2 15:18:16 04[ASN] L2 - subjectPublicKeyInfo:
Apr  2 15:18:16 04[ASN] -- > --
Apr  2 15:18:16 04[ASN] L0 - subjectPublicKeyInfo:
Apr  2 15:18:16 04[ASN] L1 - algorithm:
Apr  2 15:18:16 04[ASN] L2 - algorithmIdentifier:
Apr  2 15:18:16 04[ASN] L3 - algorithm:
Apr  2 15:18:16 04[ASN]   'id-ecPublicKey'
Apr  2 15:18:16 04[ASN] L3 - parameters:
Apr  2 15:18:16 04[ASN] -- < --
Apr  2 15:18:16 04[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Apr  2 15:18:16 04[CFG]   loading certificate from 'ecdsaReq_cert.pem' failed
Apr  2 15:18:16 04[CFG] added configuration 'device-outer-tunnel'

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130402/0151ea3f/attachment.html>


More information about the Users mailing list